sality | 50c2b3b13016f85e3400ab105711877d49414c42971483d8f3e1a3c301a13034

Analysis

max time kernel
141s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 12:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

50c2b3b13016f85e3400ab105711877d49414c42971483d8f3e1a3c301a13034_NeikiAnalytics.dll
Size

120KB
MD5

b3d16075f01ba93d8550fa09356001e0
SHA1

f2a2ef82dc871442cdfced26f5f9d60e7ac744ac
SHA256

50c2b3b13016f85e3400ab105711877d49414c42971483d8f3e1a3c301a13034
SHA512

7d0d806359cac9b7bb8de1e5aeeb7e53742e3e43edc53a6907c33b46c6cddecfd0b0d4d81c5962add45a37d9ae0d83c2f2cf3dfea215986ec212c66c21a45209
SSDEEP

1536:2+Vfseo2G+M3dkaG4UEQ/7I9Nxlcs++EAqIY5jY2ka2COv9P8tz31ufnNQ2+B:F5o2G+M3dkafUwN74nsaalIz3Q+2m

Score

10^/10

sality backdoor evasion trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

e5731af.exee575311.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e575311.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	e575311.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	e575311.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	e5731af.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e575311.exee5731af.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5731af.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5731af.exee575311.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e575311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e575311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e575311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e575311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e575311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e575311.exe

Executes dropped EXE 3 IoCs

Processes:

e5731af.exee5732e7.exee575311.exe

pid process

4012 e5731af.exe
3140 e5732e7.exe
1676 e575311.exe

pid	process
4012	e5731af.exe
3140	e5732e7.exe
1676	e575311.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4012-6-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-8-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-10-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-11-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-13-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-9-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-12-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-31-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-27-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-26-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-32-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-37-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-36-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-38-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-40-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-39-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-42-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-51-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-52-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-62-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-64-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-65-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-66-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-70-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-71-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-74-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-75-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-83-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/4012-84-0x0000000000800000-0x00000000018BA000-memory.dmp	upx
behavioral2/memory/1676-115-0x0000000000B30000-0x0000000001BEA000-memory.dmp	upx
behavioral2/memory/1676-153-0x0000000000B30000-0x0000000001BEA000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

e5731af.exee575311.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e575311.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e575311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e575311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e575311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e5731af.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e575311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	e575311.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	e575311.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

e5731af.exee575311.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575311.exe

Enumerates connected drives 3 TTPs 15 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e575311.exee5731af.exe

description	ioc	process
File opened (read-only)	\??\G:	e575311.exe
File opened (read-only)	\??\Q:	e5731af.exe
File opened (read-only)	\??\M:	e5731af.exe
File opened (read-only)	\??\H:	e5731af.exe
File opened (read-only)	\??\J:	e5731af.exe
File opened (read-only)	\??\P:	e5731af.exe
File opened (read-only)	\??\E:	e5731af.exe
File opened (read-only)	\??\I:	e5731af.exe
File opened (read-only)	\??\K:	e5731af.exe
File opened (read-only)	\??\L:	e5731af.exe
File opened (read-only)	\??\N:	e5731af.exe
File opened (read-only)	\??\O:	e5731af.exe
File opened (read-only)	\??\E:	e575311.exe
File opened (read-only)	\??\H:	e575311.exe
File opened (read-only)	\??\G:	e5731af.exe

Drops file in Program Files directory 3 IoCs

Processes:

e5731af.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\7z.exe	e5731af.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	e5731af.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e5731af.exe

Drops file in Windows directory 3 IoCs

Processes:

e5731af.exee575311.exe

description ioc process

File created C:\Windows\e5731fd e5731af.exe
File opened for modification C:\Windows\SYSTEM.INI e5731af.exe
File created C:\Windows\e5783d6 e575311.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

e5731af.exee575311.exe

pid process

4012 e5731af.exe
4012 e5731af.exe
4012 e5731af.exe
4012 e5731af.exe
1676 e575311.exe
1676 e575311.exe

description	ioc	process
File created	C:\Windows\e5731fd	e5731af.exe
File opened for modification	C:\Windows\SYSTEM.INI	e5731af.exe
File created	C:\Windows\e5783d6	e575311.exe

pid	process
4012	e5731af.exe
4012	e5731af.exe
4012	e5731af.exe
4012	e5731af.exe
1676	e575311.exe
1676	e575311.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

e5731af.exe

description	pid	process
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe
Token: SeDebugPrivilege	4012	e5731af.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exee5731af.exee575311.exe

description	pid	process	target process
PID 4560 wrote to memory of 4304	4560	rundll32.exe	rundll32.exe
PID 4560 wrote to memory of 4304	4560	rundll32.exe	rundll32.exe
PID 4560 wrote to memory of 4304	4560	rundll32.exe	rundll32.exe
PID 4304 wrote to memory of 4012	4304	rundll32.exe	e5731af.exe
PID 4304 wrote to memory of 4012	4304	rundll32.exe	e5731af.exe
PID 4304 wrote to memory of 4012	4304	rundll32.exe	e5731af.exe
PID 4012 wrote to memory of 772	4012	e5731af.exe	fontdrvhost.exe
PID 4012 wrote to memory of 780	4012	e5731af.exe	fontdrvhost.exe
PID 4012 wrote to memory of 1016	4012	e5731af.exe	dwm.exe
PID 4012 wrote to memory of 2612	4012	e5731af.exe	sihost.exe
PID 4012 wrote to memory of 2840	4012	e5731af.exe	svchost.exe
PID 4012 wrote to memory of 3056	4012	e5731af.exe	taskhostw.exe
PID 4012 wrote to memory of 3448	4012	e5731af.exe	Explorer.EXE
PID 4012 wrote to memory of 3544	4012	e5731af.exe	svchost.exe
PID 4012 wrote to memory of 3748	4012	e5731af.exe	DllHost.exe
PID 4012 wrote to memory of 3836	4012	e5731af.exe	StartMenuExperienceHost.exe
PID 4012 wrote to memory of 3900	4012	e5731af.exe	RuntimeBroker.exe
PID 4012 wrote to memory of 3988	4012	e5731af.exe	SearchApp.exe
PID 4012 wrote to memory of 2860	4012	e5731af.exe	TextInputHost.exe
PID 4012 wrote to memory of 4768	4012	e5731af.exe	RuntimeBroker.exe
PID 4012 wrote to memory of 1004	4012	e5731af.exe	backgroundTaskHost.exe
PID 4012 wrote to memory of 4636	4012	e5731af.exe	backgroundTaskHost.exe
PID 4012 wrote to memory of 4560	4012	e5731af.exe	rundll32.exe
PID 4012 wrote to memory of 4304	4012	e5731af.exe	rundll32.exe
PID 4012 wrote to memory of 4304	4012	e5731af.exe	rundll32.exe
PID 4304 wrote to memory of 3140	4304	rundll32.exe	e5732e7.exe
PID 4304 wrote to memory of 3140	4304	rundll32.exe	e5732e7.exe
PID 4304 wrote to memory of 3140	4304	rundll32.exe	e5732e7.exe
PID 4304 wrote to memory of 1676	4304	rundll32.exe	e575311.exe
PID 4304 wrote to memory of 1676	4304	rundll32.exe	e575311.exe
PID 4304 wrote to memory of 1676	4304	rundll32.exe	e575311.exe
PID 4012 wrote to memory of 772	4012	e5731af.exe	fontdrvhost.exe
PID 4012 wrote to memory of 780	4012	e5731af.exe	fontdrvhost.exe
PID 4012 wrote to memory of 1016	4012	e5731af.exe	dwm.exe
PID 4012 wrote to memory of 2612	4012	e5731af.exe	sihost.exe
PID 4012 wrote to memory of 2840	4012	e5731af.exe	svchost.exe
PID 4012 wrote to memory of 3056	4012	e5731af.exe	taskhostw.exe
PID 4012 wrote to memory of 3448	4012	e5731af.exe	Explorer.EXE
PID 4012 wrote to memory of 3544	4012	e5731af.exe	svchost.exe
PID 4012 wrote to memory of 3748	4012	e5731af.exe	DllHost.exe
PID 4012 wrote to memory of 3836	4012	e5731af.exe	StartMenuExperienceHost.exe
PID 4012 wrote to memory of 3900	4012	e5731af.exe	RuntimeBroker.exe
PID 4012 wrote to memory of 3988	4012	e5731af.exe	SearchApp.exe
PID 4012 wrote to memory of 2860	4012	e5731af.exe	TextInputHost.exe
PID 4012 wrote to memory of 4768	4012	e5731af.exe	RuntimeBroker.exe
PID 4012 wrote to memory of 1004	4012	e5731af.exe	backgroundTaskHost.exe
PID 4012 wrote to memory of 4636	4012	e5731af.exe	backgroundTaskHost.exe
PID 4012 wrote to memory of 3140	4012	e5731af.exe	e5732e7.exe
PID 4012 wrote to memory of 3140	4012	e5731af.exe	e5732e7.exe
PID 4012 wrote to memory of 3244	4012	e5731af.exe	RuntimeBroker.exe
PID 4012 wrote to memory of 5028	4012	e5731af.exe	RuntimeBroker.exe
PID 4012 wrote to memory of 1676	4012	e5731af.exe	e575311.exe
PID 4012 wrote to memory of 1676	4012	e5731af.exe	e575311.exe
PID 1676 wrote to memory of 772	1676	e575311.exe	fontdrvhost.exe
PID 1676 wrote to memory of 780	1676	e575311.exe	fontdrvhost.exe
PID 1676 wrote to memory of 1016	1676	e575311.exe	dwm.exe
PID 1676 wrote to memory of 2612	1676	e575311.exe	sihost.exe
PID 1676 wrote to memory of 2840	1676	e575311.exe	svchost.exe
PID 1676 wrote to memory of 3056	1676	e575311.exe	taskhostw.exe
PID 1676 wrote to memory of 3448	1676	e575311.exe	Explorer.EXE
PID 1676 wrote to memory of 3544	1676	e575311.exe	svchost.exe
PID 1676 wrote to memory of 3748	1676	e575311.exe	DllHost.exe
PID 1676 wrote to memory of 3836	1676	e575311.exe	StartMenuExperienceHost.exe
PID 1676 wrote to memory of 3900	1676	e575311.exe	RuntimeBroker.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

e5731af.exee575311.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e5731af.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e575311.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:780

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1016

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2840

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3056

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\50c2b3b13016f85e3400ab105711877d49414c42971483d8f3e1a3c301a13034_NeikiAnalytics.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\50c2b3b13016f85e3400ab105711877d49414c42971483d8f3e1a3c301a13034_NeikiAnalytics.dll,#1
3⤵
- Suspicious use of WriteProcessMemory
PID:4304

C:\Users\Admin\AppData\Local\Temp\e5731af.exe
C:\Users\Admin\AppData\Local\Temp\e5731af.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4012

C:\Users\Admin\AppData\Local\Temp\e5732e7.exe
C:\Users\Admin\AppData\Local\Temp\e5732e7.exe
4⤵
- Executes dropped EXE
PID:3140

C:\Users\Admin\AppData\Local\Temp\e575311.exe
C:\Users\Admin\AppData\Local\Temp\e575311.exe
4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3544

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3836

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3900

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3988

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2860

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4768

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1004

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4636

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3244

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5028

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\e5731af.exe
Filesize
97KB

MD5
4f0811e1cd5b4235a434044444b4826a

SHA1
fd6947f5009a5adbe03fa473ba36dbf7e34835df

SHA256
6a860e6e4754ddb5e1d28acfa347920163df24937309643f1a7df1113f8fb1f3

SHA512
19a8189b61cd9fc21926f3842328e3cc717be71f0f4aab71e348259bedf5fe71259cd540b4f519fc5b6d385f4bee3e6a23e1f67c117cfd3fd865b7a9578ff268

Download Submit
C:\Windows\SYSTEM.INI
Filesize
257B

MD5
89bc4dae252e46369daae92ab2a82969

SHA1
006e3a0734c920cea2cf5dcc54c8d7f0735c3e59

SHA256
b3999cad61be3c4aba9f33ed832203beb16e293d24b1c2945881793c421c8f45

SHA512
a011f42dcd5844c898e703377ff11552c05bea8c23b7eb17bde3b02d01dd2114fddfd7439e921eb591e875c3a982899407466da954430550cd899c5b0d3722e8

Download Submit
memory/1676-59-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1676-154-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1676-153-0x0000000000B30000-0x0000000001BEA000-memory.dmp

Filesize
16.7MB

Download
memory/1676-50-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1676-115-0x0000000000B30000-0x0000000001BEA000-memory.dmp

Filesize
16.7MB

Download
memory/1676-61-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/1676-57-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3140-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3140-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3140-55-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/3140-124-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3140-35-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4012-39-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-12-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-5-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4012-6-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-8-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-10-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-28-0x0000000000520000-0x0000000000522000-memory.dmp

Filesize
8KB

Download
memory/4012-32-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-37-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-36-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-38-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-40-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-26-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-42-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-27-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-51-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-52-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-31-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-11-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-30-0x0000000000520000-0x0000000000522000-memory.dmp

Filesize
8KB

Download
memory/4012-9-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-13-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-18-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

Filesize
4KB

Download
memory/4012-62-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-64-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-65-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-66-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-70-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-71-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-74-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-75-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-83-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-84-0x0000000000800000-0x00000000018BA000-memory.dmp

Filesize
16.7MB

Download
memory/4012-93-0x0000000000520000-0x0000000000522000-memory.dmp

Filesize
8KB

Download
memory/4012-103-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4304-1-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/4304-29-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

Filesize
8KB

Download
memory/4304-14-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

Filesize
8KB

Download
memory/4304-15-0x0000000000AD0000-0x0000000000AD2000-memory.dmp

Filesize
8KB

Download
memory/4304-16-0x0000000003B40000-0x0000000003B41000-memory.dmp

Filesize
4KB

Download